Focused Application Testing

En Garde reviews services, protocols, untrusted data, and user interaction models from a focused security perspective, allowing you to avoid embarrassing security exposures or costly deployment of patches.

Flawed code and vulnerabilities that pop up in generation after generation of software make a hacker's job easier. Detailed application level testing allows the system to be rigorously tested, focusing on how attacks would be instigated against the system, including: where the application gets information, how that information is processed, and what effect does the information have on the underlying system. During an application review En Garde performs analysis to (i) identify any flaws, errors, or other liabilities inherent to the software; (ii) measure the extent to which identified flaws/errors can be exploited to compromise or otherwise used to subvert system processes and security; and (iii) recommend patches, configuration changes, or other corrective actions that can be taken to strengthen system security. Details of all work performed, including testing and our analysis of network security conditions, is consolidated into a comprehensive report.

Design and Architectural Reviews

En Garde starts by reviewing the design and goals of the application to determine what types of security controls are anticipated. Many times applications have to work with untrusted user data and the control and isolation of that data becomes a critical design and data flow area. Additionally, many applications provide their own security functions, for example access control permissions to limit access within the program, and these features require special consideration.

Threat Modeling and Risk Analysis

En Garde will walk through the application with you to determine the most critical types of attacks and threats. The threats can range from reliability issues like dealing with 100,000's of requests to data sensitivity issues such as no credit cards should ever be exposed to the user. Given these threats we then evaluate the application's digital risk level.

Test and Validation

In addition to reviewing the design and proposed security functionality, we take a hands-on look at the application implementation to look for programmatic and integration errors which may allow an attacker to gain access to the data, application controls, or host system.